The August edition of the free to subscribe TUX Magazine covers a number of KDE applications: Guarddog "lets
you have total control over your personal firewall without having to invest years in the study of firewalls and security" while digiKam is "a perfect all-in-one solution for importing, editing and managing photo albums from all my digital cameras over the last few years". There is also an extensive introduction to KDE's webpage editor Quanta Plus and you can vote for your favourite KDE applications in their first readers' choice awards.

Perhaps it could check using netstat which server ports >1024 are already in use and exclude them from the rule?

Ok, it's harder, and it is not perfect, but it is slightly better.

Another idea: it could ask the user what ICQ app (say kopete) he is using and then do something like "-m owner --cmdowner kopete" on the iptables rule.

Or, you could have ICQ-kopete ICQ-whatever rules.

Of course, that only works on the OUTPUT chain, so the connection may still take place, but the box shouldn't send much stuff over that connection that isn't ICQ (or gadu-gadu/MSN/whatever kopete can handle), I suppose.

I'll have a good think about how best to communicate that to the user.

(Suggestions are welcome. I'm gravitating towards any extra 'risk' column with a small rating symbol. Instead of little gold stars there will be scary little skull-and-crossbones symbols. :-) Seriously, that is exactly what I am thinking now.)

> 2. use ralsina's proposal

That is not likely to happen soon. It is, well, radically different than the current approach.

To be honest I don't think that warning the user is really going to help much. People don't read warnings. The best idea I can think of right now is to choose a range of ports and open only those for ICQ, and tell everyone to configure their ICQ client. That looks like the safest way to me.

(Email me, or take this to the mailing list. Lets not take over the Dot. ;) )

can only have a good firewall in place with Guarddog. That's definitely for some System Administrators but not for average joe user, who *uses* the computer but doesn't administer.

Here What I think would help Guarddog become "User-friendly" not "administrator-only" application:

1. Observing which applications are being used (learning mode) and allowing incoming and outgoing (if necessary) traffic.
2. KDE applications should have firewall integration or Guarddog should monitor the Network applications like "kopete" or "kmail", and ask the user "whether s/he wants to allow internet connection.

3. likewise kpf (personal webserver) etc., should also take permission from Guarddog or Guarddog should restrict/allow an incoming connection.

This could only happen if Guarddog becomes a PART of KDE instead of just *an application*.

if Guarddog implements few small things then Guarddog becomes the *friend* of average joe KDE user ;) else it will remain a friend of administrator which users in general can't make use of it.

Anyways, I love Guarddog, it is much better than using iptables rules setting by hand. And I really wanna thank Guarddog Authors/Developers! Thanks guys you made my KDE/Linux system secure :)

Actually, I thought Guarddog was the easiest firewall software I've found in a long time (ever?). I tried several different frontends to generating iptables stuff and I couldnt figure any of it out. None. Then I found guarddog and was instantly impressed. Perhaps I know a bit more about IP, servers and clients than the average person, but anything that was "learning" like you suggested would be a pain. (I've tried ZoneAlarm on Windows and the constant popups about "Internet Explorer is trying to access the internet in the following way:..." just got bloody annoying.

One minor (ok major) problem which might not be guarddog related: I'm on Gentoo and I had their scripts save the IPtables state and reload it when I rebooted. This worked fine when I was behind a router, but now that I'm directly connected to the cable modem, it seems that the saved IPtables state blocks all internet access (while im sure thats very secure its not exactly what i want ;p). I checked that the IP address doesn't change but I cant imagine what other problem would be.